Pattern Set Optimization

Activate file related patterns: By default, patterns against file-based attacks are disabled as protection against those threats is usually covered by the Antivirus engine. This default setting (disabled) provides maximum performance while enabling this option will provide maximum recognition rate. Enabling file-related patterns may be a sensible option where no other virus protection is available, e.g., Web Protection is turned off or no client Antivirus program is installed.

Manual Rule Modification

In this section, you can configure manual modifications to each IPS rule overwriting the default policy, which is taken from the attack pattern groups. Such modifications should be configured by experienced users only.

To create a modified rule, proceed as follows:

  1. In the Modified rules box, click the Plus icon.

    The Modify Rule dialog box opens.

  2. Make the following settings:

    Rule ID: Enter the ID of the rule you want to modify. To look up the rule ID, go to the list of IPS rules at the Sophos webserver. (In the folder, look for files with IPS-rules in their names, available for different Sophos UTM versions and pattern versions, and both in HTML and XML format.) In addition, they can either be determined from the IPS log or the IPS report.

    Disable this rule: When you select this option, the rule of the respective ID will be disabled.

    If you do not select this option, however, the following two options are available:

    • Disable notifications: Selecting this option will not trigger a notification in case the rule in question was applied.
    • Action: The action each rule is associated with it. You can choose between the following actions:

      • Drop: If an alleged attack attempt has been determined, the causing data packets will be dropped.
      • Alert: Unlike the Drop setting, critical data packets are allowed to pass the gateway but will create an alert message in the IPS log.
  3. Click Save.

    The rule appears in the Modified Rules box. Please note that you also need to click Apply on the bottom of the page to commit the changes.

Note – If you add a rule ID to the Modified Rules box and set the action to Alert, for example, this modification will only take effect if the group to which the rule belongs is enabled on the Attack Patterns tab. If the corresponding attack pattern group is disabled, modifications to individual IPS rules will have no effect.

Performance Tuning

In addition, to increase the performance of the intrusion prevention system and to minimize the amount of false positive alerts, you can limit the scope of IPS rules to only some of your internal servers. For example, suppose you have activated the HTTP Servers group on the Attack Patterns tab and you have selected a particular HTTP server here. Then, even if the intrusion prevention system recognizes an attack against an HTTP server, the associated action (Drop or Alert) will only be applied if the IP address of the affected server matches the IP address of the HTTP server selected here.

You can limit the scope of IPS rules for the following server types: